Pretty scary.We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9 This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

Though they’re back up and running, who knows if customers will stick by them, or will sue them.
What impact that had on infrastructure mail servers, backup servers, and SQL Servers for customers is hard to judge.
A large number of people might have lost their mailboxes and previously stored mail that was in IMAP storage.
This is likely an annoyance for individuals, but potentially catastrophic for businesses. Imagine your small business hosted with them and all your mailboxes were lost with customer communications and who knows what else.

Could this happen with a cloud provider like Azure O365, Google Apps or AWS?
Maybe but they will have DR backups,
But what if you store back ups on the cloud but run on premise- how long would it take to mass restore multiple, customers? Do you still have ad3qute on premise test systems to restore on and the staff and the time to do it?

Do you assume that you will always have either a primary server and an online backup server/share/bucket/container and can download data.
The problem is that online systems that connect to the primary can be accessed.
If an attacker were to access one, they potentially could access the second.
The world seems to be moving towards more online storage, or in the case of cloud vendors, a reliance on snapshots. That might be good enough for cloud vendors, but is it good enough for your on-premise system.
It’s likely that an attacker, possibly even with insider help, would wipe out backups first, then primary systems.
Some sort of disconnected offline backup of data, especially database servers gives you a third line of defence.
don’t forget that back up- need to be tested- if the back up software compatible with old versions, does your back up use the same version as the current erp software installed on your primary, or the same SQL version (i.e when you upgrade do you also upgrade your back ups, or maintain an older environment?)

Microsoft and other large vendors have had downtime whether self induced by releasing code too early, or due to hardware failure, or malicious attach . What is important to realise is just how infrequent are just issues given the number of clients they have across a range of solutions, and how little was the downtime and how fast they are at in addressing issues that arise. The think about how you would have been able to deal with the same issues in your own server room?

There are increasing risks, and increasing issues of statutory compliance with regard to data protection e.g, GDPR. The cloud generally offers cheap storage nd robust systems, yet it needs to be part of a holistic approach to reduce overall risk and cost, and not the only line of defence.

This year’s event took place yesterday and today at the Madinat Jumeirah Dubai ( December 5- 6) and showcased a wide range of innovative solutions from the world’s leading hospitality technology providers. Synergy Software Systems together with Deyafa Systems presented the Inigma software solution.

Inigma task management system and collaboration platform offers a smoother and more efficient way to run operations for any hotel.

Bahrain will be the next country to implement five per cent value-added tax (VAT) after the UAE and Saudi Arabia as part of the GCC framework agreed between the six states, according to tax experts. Bahrain’s parliament in an extraordinary session ordered by royal decree. has approved the introduction of 5 percent value-added tax (VAT) in the kingdom from January 1 2019. The move must also be approved by Bahrain’s upper house.

The introduction of VAT will be a big challenge for the local Bahrain market, and businesses now have less than 3 months to be prepared for these changes. This announcement of a definitive date for the tax to become effective means that businesses should accelerate their VAT readiness preparations. Last week, Bahrain announced a fiscal overhaul meant to balance its budget by 2022, backed up by a $10 billion economic support package from Saudi Arabia, the UAE and Kuwait. The plan aims to raise $2.1 billion a year as Bahrain looks to curb its debt after years of lower oil prices.

At the start of 2018 VAT was introduced in both K.S.A, and the U.A.E. Synergy Software Systems has extensive experience of VAT implementation in business systems like Dynamics 365 Finance and Operations, Dynamics Ax, and Infor SunSystems in both K.S..A and the U.A.E, across almost 200 customers in varied vertical sectors.

VAT Registration
• The compulsory VAT registration threshold in Bahrain is BHD 37,000 per annum.
• A voluntary registration for businesses below this threshold is permitted, although this has its own minimum threshold of BHD 18,850 per annum.
• There is scope for related businesses to apply for a single, Group VAT registration.
• There is no threshold for non-resident businesses, which must register prior to their first supply. Foreign registrations may be either direct, or via a local Fiscal Representative.

Bahraini VAT rates
Generally, Bahrain follows the terms of the Agreement, including the harmonised standard VAT rate of 5%, but has a wider range of zero and reduced VAT rates to provide subsidies to the less well off in society.

5% Standard From 1 January 2019: All other supplies of goods, or services, including imports, in accordance with the Unified VAT Agreement.

Bahraini VAT invoices
VAT invoices must contain the following information as a minimum:
• Date of invoice (and date of supply if different)
• Unique, sequential invoice number
• Tax ID number of the supplier
• Name and address of the supplier and customer
• Description and quantity of the goods supplies; nature of services provided
• Gross, VAT and net values of supply
• VAT rate applied, and explanation where not the standard rate
Invoices must be issued within 15 days following the month of supply of the taxable goods or services.

Bahraini VAT Returns
Registered tax payers must submit their periodic returns each month.
Returns must be filed by the last working day of the month following the reporting period.

Penalties for non-compliance
Timely preparation is critical because VAT is generally a self-assessed tax, and errors are often subject to severe penalties and business disruption.
Businesses that have been operating in a largely non-tax environment should already have started to prepare and to analyze in detail what the implications of the new tax will be for example on: their pricing, contracts and IT systems.
The following penalty regime for non-compliance is in place, with financial penalties and potential prison terms:
• BD10,000 for failure to register for VAT within 60 days of the required date
• Failing to issue a VAT invoice within 15 days of the month following the taxable supply
• Failing to submit a VAT return and/or pay any VAT due by the end of the month following the reporting month,

Transition rules
The following rules will apply to supplies contracted and supplied over the introductory period:
• Where invoices were issued, or payments made, prior to 1 January 2019 for post-implementation supplies, then VAT is still due. In this case, a debit note for the original invoice should be issued with the correct VAT indicated.
• Initially, goods supplied to other GCC states that have also implemented VAT (Saudi Arabia and UAE) will be treated as exports. There are plans to introduce zero-rating with reverse charge supplies to eliminate import VAT, but this is dependent on the introduction of an Electronic Services System transaction reporting platform, which has yet to be developed.
• For pre-January 2019 contracts which are silent on the VAT treatment, then the price will be VAT inclusive. This presents a cash flow risk for the supplier.

Other GCC Countries
The Sultanate of Oman announced that VAT would be introduced in 2019, most likely mid-2019.
The Kuwaiti parliament is yet to vote on the VAT bill which should be introduced in the upcoming session before the year-end. The expected timeline of introduction of VAT in Kuwait is late 2019 or 2020.

EY, estimated that a five per cent VAT rate will produce revenues of over $25 billion per annum for the six GCC countries.

For all the talk around the rise of AI, or Artificial Intelligence, the technology isn’t new. We use AI in our daily lives.

Predictive text is the most visible example.Google searches, Word spellcheck are examples. You frequently text a friend to meet at the mall. You type: “Meet me at the …” Your phone suggests “park” or another common place to meet. Over time, your phone learns, and the suggestions start to prioritize “mall” over other words.

A basic case is that AI:
• takes data,
• analyzes it,
• implements a solution (suggesting the next word),
• evaluates the results (recognizing that you almost always type “bar” with that friend),
• and then repeats the process with improved recommendations based on data.
• Over time, the system grows smarter.

Typically ‘triggers’ to execute a ‘script’ were ways to automate processes. A log fiel is mintored and akey word triggers a support ticket, or runs a script.Over time thje system learns and can predict and run checks before the error happens.
Other examples of AI in everyday life include pricing on ridesharing apps, facial recognition in social media and even non-player characters in video games.

Until recently, the technology was available to a few companies with deep pockets. To take advantage of AI, you had to have a big data center, specialized software and data scientists in house. We’ve reached a tipping point. With cloud-based technology, companies of all sizes can more easily plug into AI-infused applications at a much lower entry cost.
AI is the next big disrupter in many industries.

Let’s look at the wholesale trading industry. Here are two ways you can leverage AI to benefit a business:Optimize where a team spends their time.
- Imagine the ability to direct your Accounts Receivable team to the late-paying customers that are most likely to respond.
– AI can help distributors differentiate between those who aren’t going to pay and need to be turned over to collections, and those who are more likely to pay with just one phone call.
- AI could also direct a call centre team to focus on certain times of day to increase the likelihood someone picks up the phone. Given the importance of cashflow to distributors, this is a powerful application of the technology.
- The same idea goes for a sales team. With which customers should they be spending more time? AI can identify the data points that influence purchasing, such as whether a prospect downloaded a whitepaper, they have an account exec assigned to them, or they have previously purchased related products.

It could even be something you can’t control, like the weather forecast. If it’s going to be 110 degrees, you can expect an uptick in sales of air conditioning units or parts to fix them in certain geographies. AI can identify these opportunities for salespeople. AI then adjusts those recommendations based on how customers respond, and the cycle continues.

Grow sales and margin with existing customers.
When a customer is checking out on a website, via your call center, at the counter or through another channel, how can you engage them more? Enter AI. For example, let’s say that data show that electrical contractor customers of a particular size regularly buy red, green, white and black 10-gauge copper wire at the same time. So when an electrical contractor of that size selects just red, green and white, a salesperson should be prompted to ask: “Are you forgetting black?” Chances are, the customer will add black wire to the basket.

To identify those relationships, however, and to code them into your system is a lot of work. We can do much of this already with BI analysis and on screen prompts.Add to that the evaluation of whether the offers were effective – how often they were accepted, how often they weren’t (and why) – and adjusting for that on the next sale, or updating sales scripts and offers. It becomes increasingly difficult if not impossible to do that manually across thousands of products.
AI can do this far more quickly and effectively than a human can, and can have a big impact on the top line. A foodservice distributor grew sales volume by 5% nearly overnight after turning on an AI-powered cross-sell and upsell recommendation engine on their website.

This is not just about selling online. Sure Distributors use cross-sell/upsell technology to grow share across their channels. However, they can also provide more meaningful, targeted content to make the customer’s selection process smoother and better informed, to draw his attention to designs or offers that are likely to be of interest, and so on. The ROI can be huge, and it requires very little upfront work by humans.

Pricing software is a more mature application of AI-based technology, determining the optimal price for a particular item based on lost sales, historical sales volume, competitor pricing, and potential for up sell or cross sell or repeat sell. and other data points. Hotels and airlines use revenue yield management. If it’s a business trip they may feel you will spend more in their restaurant on an expense account. I may only book when rates are cheap but I might always eat in house use, pay tv, and order wine with my meal and be a more profitable customer. If my rooms for tonight or my airline seats are less than 50% sold then I might discount heavily to ensure I sell enough to cover costs, but once past 80% I may charge a premium price because you may be desperate with little choice and a few high value sales will make up for the one or two I lose.

If a product has excess stock and is nearing the end of its shelf life, or a cinema is going to be half empty then AI can auto trigger instant sms sales promotions or happy hours but can it learn and predict and better tune the films shown in a given cinema, and whether average clothes sizes are trending bigger, or whether some colours and sizes will sell better in one branch than another and how that correlates with other data, How much is spent on marketing, what other sales are happening nearby, are temperatures going to rise, what si te epxcted change on the exchange rate or inflation rate or oil price and will that affect the number of tourist, and will revised parking fees affect who shows where and when?

is this a Big Brother nightmare, or does it mean that we are going to get better service because what we need to buy is going to be in stock even before we realise we need it.

As new younger generation z employees are hired into purchasing roles, they expect the kind of customer experience that AI-powered technology can deliver. This technology is here now. It’s not just a technical decision. There are real business benefits to using AI, including growing average order size, boosting margins and tightening customer relationships.

On July 9, 2019, Microsoft will end Extended Support, for SQL Server 2008 and 2008 R2hich means no more updates or support of any kind, potentially leaving you vulnerable to security and compliance issues.
Some considerations:
That is only a year away. So time to start planning and to get it into your 2019 budget.
What applications are affected? With what new SQL version are they compatible?
Will you need to rebuy licenses? The SQL license cost is now core based and it might prove lot higher than last time so take the time to consider all options.
Should any of your applications move to the cloud?
Should you also look at upgrades to Hardware? Windows, Office, Exchange, or Business finance/erp systems in conjunction with SQL?
Is now the time to review your security solutions?
Are you going to expand, or implement heavy new processes like consolidation, budgeting, BI in then next 2-3 years?
Is your mobile network growing?

There are major enhancements at QL 2016 sp1 so we recommend you should not consider any version lower than that. By next year SQL 2017 will also have settled down.

If you have not yet upgraded to SunSystems 6.3 from Infor it is time to consider what major benefits are available for existing SunSystems clients. Infor has for many years provided ongoing support for a range of SunSystems versions. This has been great for clients to maximise their investment in the solution over extended time frames, but it can cause difficulty when assessing when and why to upgrade to the latest version. This comprehensive, updated financial management system is particularly significant because it not only delivers mnay new features and enhancements but also runs on Infor Xi, the latest and most innovative enterprise technology platform from Infor.

Let’s have a look at the various top level versions in use today:SunSystems v4 (The current production release is v4.4)Pros: A proven, self-contained system that operates on minimal IT infrastructure and demands little support and maintenance effort. Continues to be patched and upgraded with new features and Microsoft technology framework compliance.

Cons: Its been around a long time with an aging user interface, some operating limitations on modern technology platforms and is not integrated to the Infor Platform Xi enterprise framework.
SunSystems v5 (The final version is v5.4)Pros: Still covered under the support framework.Cons: This version is effectively at end-of-life from an extension point of view. There are no new patches or updates being released, it will not be kept compliant with future versions of Microsoft Windows and SQL Server and it is not possible to purchase additional user licences.

SunSystems v6 (v6.3) Pros: Significant increase in power and scalability from the original Sun 4.
A complete re-visioning of the system :more agility, flexibility, and control for companies with complex financial management requirements, multi-company operations, multi-currency trading.
Modern user interface stemming from Infor’s in-house user experience and design team, Hook and Loop.Cons: SunSystems itself and the broader Infor Platform Xi framework demands more computing power and hardware than v4 or v5 did.

Why upgrade now to SunSystems v6.3?User experience and usability – the screen designs and operation are revised to enhance user experience. Think “apps” on smartphones and tablets that require little or no user training, Infor has a vision of enterprise grade software usability going the same way. Every new release take steps towards that goal using content feeds, visual triggers and graphics to help people navigate rather than menus and options.
SunSystems users can now replace their Favorites menu page with a customizable homepage—available through Infor Ming.le® or directly within SunSystems. Users can also select the graphical content that best reflects their roles and daily tasks with drag-and-drop widgets. Widgets allow users to create links to relevant SunSystems functions, reports, and records, to help speed up routine tasks and navigation

Integrated Document Management Repository – best practice financial management is underpinned by substantiating documents from many sources. The integrated document management repository lets you attach a PDF or other document to the exact transaction or reference data it relates to and to easily find and view that document again at any time. Documents can be searched and retrieved directly from within the web-based IDM application.

External web portal – this new module allows secure access to SunSystems documents to for additional stakeholders to engage electronically with the financial arm of the business. Get your suppliers to upload their own invoices and maintain their own details; let your clients access their own statements and order history, or let your employees access their expenses history. Reduce the number of queries into the finance team and the rekeying of data when external stakeholders could choose to serve themselves.

Automated master data management – for larger companies running multiple sites or business units the administration of managing common reference data between systems and entities can be centralised. Define a primary business unit for your supplier register and any moves/adds/changes/deletes applied to this primary data can be automatically applied to any nominated secondary entities.

Configuration
Infor SunSystems 6.3 consolidates all configuration settings, over 400 of these, into a single web-based console and makes complete control of all aspects within the system much easier.

Performance
Allocate memory capacity in Ledger Import caching, to speed up the process – up to 2 – 3 times faster.
For many processes system’s memory is now dynamically allocated for maximum performance. The caching limits can be set in the Configuration Manager and a task is completed, all allocated memory will be freed immediately. Similar web-enabled enhancements are extended to functions like Transfer Desk, Business Unit Administration, and SunSystems Connect portal.

Currency Rate Type
Multicurrency functionality has always been a key strength of Infor SunSystems. In the 6.3 release, users wcan create different sets of exchange rates for different purposes and have control of when and how they can use a specific rate type. Use one exchange rate that is different from the default monthly rate for a specific collection run. Use a different rate for evaluation than the rate used for day-to-day transactions. These rate types are defined at business unit level.

Withholding tax
Now a core function. SunSystems can now automatically calculate withholding taxes for payment and invoice posting directly from within the core, SunSystems application

Form management
Currently, when users want to make some changes to a form, they need to check out that form, make necessary changes, and check it in again. Sometimes, users check out forms and forget to check them back in again. With SunSystems 6.3, the check-in and check-out process is performed entirely in the background. Users only need to open the form and make amendments using Forms Designer.

For more information contact Synergy Software Systems, your SunSystems U.A.E. partner, supporting clients across MEA for over 20 years, 0097143365589

The digital world is already here and what seemed science fiction few years back we now accept as everyday. Voice activated commands on our smear phone now also query our databases and update our dashboards, remote medical checks are done at an atm, artificial intelligence and big data influence our live every time we log onto google, amazon, facebook or ring a callcentre.

We have been investigating IoT for over a year, particularly with regard to condition monitoring for asset management and several of our team were involved in recent training that included a hands on session for Microsoft Field Services. This is built on the Dynamics 365 platform as an extension of CRM and offer comprehensive features for field service: help desk, engineer scheduling and mobile operations. Field service is aimed at service companies with a large field force of service engineers and is typically integrated with erp systems and thus the overall project can be quite complex. To reduce the risk and implementation time we offer a proven accelerator.

We also offer a Enterprise Asset Management suite which is successfully deployed in several leading UAE companies for a number of years particularly for asset tracking.

In Dynamics 365/2012 for Ax EAM also needs to consider that both engineers and equipment may be sued is production or on projects. Thus engineering and maintenance scheduling also has to consider in house planned and breakdown maintenance and servicing and more complex overhauls and asset structures, the impact of equipment downtime on production schedules and much more. We offer a Microsoft certified isv integrated suite of EAM modules built on the Ax 2012/D365 platform that covers both field service and mobile as well as in in house maintenance.

Predictive maintenance and SCADA integration and extensive condition monitoring., embedded and Power BI analytics are no longer rocket science.
At a recent client 4 day workshop we demonstrated HOLO lens assisted reality to support engineers. This can for example be used to provide step by step guidance or for collaboration from the field with an OEM a remote manufacturer, or your chief engineer.

Account maintenance is now mandatory under UAE VAT Law and it facilitates the correct receipt and payment of cash and other transactions entered by a company. Audited accounts will be needed so don’t wait till year end to find an auditor that suits your business.

2- Make changes to the core processes and accounting departments

It is important to change your core processes and adapt your accounting departments to achieve tax compliance. For SMEs, with limited transactions, the task is easier as the transition is less likely to require significant systematic change or they might use an external bookkeeper or tax agent.

3- Train staff, especially financial management

Employees need proper insight around GCC-wide initiatives to implement VAT across the region and how companies should prepare. Help them de-mystify VAT by providing on the job training and a framework to raise and clarify queries. Avoid disputes with trading partners and ensure staff have the relevant information and training to resolve issues that arise.

4- Review your contracts and the contracts and conditions agreed with dealers

Many businesses negotiated contracts at a time VAT was not payable but running across the implementation dates. It is time to now bring contracts into step with the UAE’s economic context.

- Consider accounting software for bookkeeping

Electronic reporting systems are increasingly being used by tax authorities. The ability to produce the required audit file details on demand will be difficult without a system. Companies that use electronic invoicing are likely to improve the timing of VAT recovery on costs.

6- Adhere to VAT deadlines

Register your company to avoid a fine as severe as AED 20,000. The Federal Tax Authority (FTA) has already been extend the deadline to the 1st January and if you don’t complete VAT registrations you will also have to stop sales till you get your tax registration certificate (TRC).

Note initial returns are due 28 January 2018 so time is running out.

7- Study UAE tax legislation

The implementation of taxes in the UAE came with a whole new set of procedures. we recommend to study and get familiar with the different laws in place including the UAE VAT Law and to discuss with your auditor, tax agent and software provider.

8- Keep an eye out for new information

There have been a slew of clarifications in the last month and some details are still not finalised e.g. with regard to free zones, or which companies will report monthly and which quarterly.

The Federal Tax Authority (FTA) has announced the supplies that will be subject to Value Added Tax (VAT) as of January 1, 2018.Selected supplies in sectors such as transportation, real estate and financial services will be completely exempt from VAT, whereas certain government activities will be outside the scope of the tax system (and, therefore, not subject to tax). These include activities that are solely carried out by the government with no competition with the private sector, activities carried out by non-profit organisations.

The UAE Cabinet is expected to issue a decision to identify the government bodies and non-profit organisations that are not subject to VAT.

VAT treatment on select industries:Education
Private and public school education (excluding higher education) and related goods and services provided by education institution 0%
Higher education provided by institution owned by government or 50% funded by government, and related goods and services 0%
Education provided by private higher educational institutions, and related goods and services 5%
Nursery education and pre-school education 0%
School uniforms 5%
Stationery 5%
Electronic equipment (tablets, laptops, etc.) 5%
Renting of school grounds for events 5%
After school activities for extra fee 5%
After school activities supplied by teachers and not for extra charge 0%
School trips where purpose is educational and within curriculum 0%
School trips for recreation or not within curriculum 5%

Healthcare:

Preventive healthcare services including vaccinations 0%
Healthcare services aimed at treatment of humans including medical services and dental services 0%
Other healthcare services that are not for treatment and are not preventive (e.g. elective, cosmetic, etc) 5%
Medicines and medical equipment as listed in Cabinet Decision 0%
Medicines and medical equipment not listed in Cabinet Decision 5%
Other medical supplies 5%

Oil and Gas:

Crude oil and natural gas 0%
Other oil and gas products including petrol at the pump 5%

Transportation:

Domestic passenger transportation (including flights within UAE) Exempt
International transportation of passengers and goods (including intra-GCC) 0%
Supply of a means of transport (air, sea and land) for the commercial transportation of goods and passengers (over 10 people) 0%
Supply of goods and services relating to these means of transport and to the transportation of goods and passengers 0%

Real Estate:

Sale and rent of commercial buildings (not residential buildings) 5%
First sale/rent of residential building after completion of construction or conversion 0%
First sale of charitable building 0%
Sale/rent of residential buildings subsequent to first supply Exempt
Hotels, motels and serviced accommodation 5%
Bare land Exempt
Land (not bare land) 5%
UAE citizen building own home 5% (recoverable)

Financial Services:

Margin based products (products not having an explicit fee, commission, rebate, discount or similar) Exempt
Products with an explicit fee, commission, rebate, discount or similar 5%
Interest on forms of lending (including loans, credit cards, finance leasing) Exempt
Issue, allotment or transfer of an equity or debt security Exempt

Wired and wireless telecommunications and electronic services: 5% VAT rate
Telecommunications and electronic services:
– Sovereign activities which are not in competition with the private sector undertaken by designated government bodies Considered outside VAT system
– Activities that are not sovereign or are in competition with the private sector VAT rate dependent on good/service ignoring provider

Not for Profit Organizations:

Activities of foreign governments, international organisations, diplomatic bodies and missions acting as such (if not in business in the UAE) Considered outside VAT system
Charitable activities undertaken by societies and associations of public welfare which are listed by Cabinet Decision Considered outside VAT system
Activities of other not for profit organizations (not listed in Cabinet Decision) which are not business activities Considered outside VAT system
Business activities undertaken by the above organizations VAT rate dependent on good/service ignoring provider

Free zones:

Supplies of goods between businesses in designated zones Considered outside VAT system
Supplies of services between businesses in designated zones VAT rate dependent on service ignoring location
Supplies of goods and services in non-designated zones VAT rate dependent on good/service ignoring location
Supplies of goods and services from mainland to designated zones or designated zones to mainland VAT rate dependent on good/service ignoring location

Other:

Export of goods and services to outside the GCC implementing states 0%
Activities undertaken by employees in the course of their employment, including salaries Considered outside VAT system
Supplies between members of a single tax group Considered outside VAT system
Any supplies of services or goods not mentioned above (includes any items sold in the UAE or service provided) 5%
Second hand goods (e.g. used cars sold by retailers), antiques and collectors’ items 5% of the profit margin

The UAE and Saudi Arabia are the two GCC member countries which will implement Value Added Tax (VAT) Reform from 1st January 2018 whereas the remaining member countries will implement over the coming years.

According to the UAE tax officials, it is anticipated that the new tax reform will help to generate nearly Dh12 billion (around 0.8 percent of GDP) revenue in the initial year after the introduction of the VAT. It might increase to Dh20 billion (around 1.2 percent of GDP) in the succeeding year (2019).

The UAE Federal Tax Authority (FTA) online portal is open 24/7 to allow for taxpayers to register for VAT purposes. The FTA has also determined the deadlines for the application for VAT registration based on business turnover.
For larger companies VAT registration is required by 31 October 2017, and such businesses should
immediately consider the timeline requirement given their turnover profile and the other registration
requirements.
Businesses that are required to register for VAT will need to set up an online account on the FTA website and complete the VAT registration form.

The FTA has announced that a phased registration approach has been introduced. In particular, those businesses that meet these criteria must comply with the relevant application dates for registration:
● Businesses with an annual turnover exceeding AED 150 million must apply for registration by31 October 2017
● Businesses with an annual turnover exceeding AED 10 million must apply for registration by 30 November 2017

● Remaining businesses with an annual turnover exceed the mandatory registration threshold
(expected to be AED 375,000) must apply for registration by 4 December 2017
Prior to the fulfilment of the VAT registration form, the FTA provides a “Getting Started Guide” that shares essential information that businesses should be aware of. This includes information on the registration criteria, registration of a VAT group, and necessity to register if only zero-rated supplies are made.

Additional details clarifying the VAT registration mechanism are found in the VAT registration guide, a document posted on FTA online portal under the “Advice” tab. This document captures the
calculation of turnover for VAT purposes, a walk-through of VAT registration through the FTA
registration portal, registration of a VAT group and types of books and records required to be held by a
taxpayer to ensure accurate tax compliance.

We strongly advise for businesses to visit the FTA website to initiate their VAT registration application by
their applicable deadline after having considered the guidance provided by the FTA and other advice
as required (for instance VAT Grouping).
Businesses should allow time to compile the required information for the VAT registration.

You never know when some item that queries or alters data in SQL Server will cause issues.

Bruce Schneier recently commented on FaceID and Bluetooth security, the latter of which has a vulnerability issue. I was amazed to see his piece on infrared camera hacking. A POC on using light to jump air gaps is truly frightening. It seems that truly anywhere that we are processing data, we need to be thinking (see https://arstechnica.com/information-technology/2017/09/attackers-can-use-surveillance-cameras-to-grab-data-from-air-gapped-networks/)

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected

– the Equifax breach for example must worry everyone who has ever had credit in the USA. (Hackers broke into Equifax’s computer systems in March, which is two months earlier than the company had previously disclosed, according to a Wall Street Journal report.)

The Securities and Exchange Commission said Wednesday that a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016. In a statement posted on the SEC’s website, Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system (which processes over 1.7 million electronic filings in any given year.) The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.

So let me suggest take a good look at your systems and be honest – do you feel safe?

Microsoft has released Microsoft 365, a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. Watch Satya introduce it.

What about your websites?
Although acts of vandalism such as defacing corporate websites are still commonplace, hackers prefer to gain access to the sensitive data residing on the database server and then to sell the data.

The costs of not giving due attention to your web security are extensive and apart form direct financial burden and inconvenience also risks:
• Loss of customer confidence, trust and reputation with the consequent harm to brand equity
• Negative impact on revenues and profits arising e.g. from falsified transactions, or from
employee downtime
• Website downtime – is in effect the closure of one of the most important sales and marketing channels
especially for an e-business
• Legal battles and related implications from Web application attacks and poor security
measures including fines and damages to be paid to victims.

Web Security Weaknesses
Hackers will attempt to gain access to your database server through any way they can e.g. out of date protocols on a router. Two main targets are :
• Web and database servers.
• Web applications.

Information about such exploits are readily available on the Internet, and many have been reported on this blog previously.

Web Security Scanning
So no surprise that Web security should contain two important components: web and database server security, and web application security.

It is of paramount importance to scan the security of these web assets on the network for possible vulnerabilities. For example, modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be
accessed through specific ports and so anyone can attempt direct connections to the databases to try and bypass the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.

Other weaknesses relate to the database application itself and the use of weak or default passwords by
administrators. Vendors patch their products regularly, and equally regularly find new ways of
attack.

75% of cyber attacks target weaknesses within web applications rather than directly at the
servers. Hackers launch web application attacks on port 80 . Web applications are more open to uncovered vulnerabilities since these are generally custom-built and therefore pass through a lesser degree of
testing than off-the-shelf software.

Some hackers, for example, maliciously inject code within vulnerable web applications to trick users
and redirect them towards phishing sites. This technique is called Cross-Site Scripting (XSS) and may
be used even though the web and database servers contain no vulnerability themselves.

Hence, any web security audit must answer the questions “which elements of our network
infrastructure are open to hack attacks?”, “which parts of a website are open to hack attacks?”, and “what data can we throw at an application to cause it to perform something it shouldn’t do?”

Ask us about Acunetix and Web Security
Acunetix ensures web site security by automatically checking for SQL Injection, Cross Site Scripting,
and other vulnerabilities. It checks password strength on authentication pages and automatically
audits shopping carts, forms, dynamic content and other web applications. As the scan is being
completed, the software produces detailed reports that pinpoint where vulnerabilities exist

See our previous article on this topic for why your company may be affected if you are a branch of a European company, or have branches in Europe, or trade with a European company.

From May 25, 2018, companies with business operations inside the European Union must follow the General Data Protection Regulations (GDPR) to safeguard how they process personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

The penalties set for breaches of GDPR are up to 4% of a company’s annual global turnover.
For large companies like Microsoft that have operations within the EU, making sure that IT systems do not contravene GDPR is critical. As we saw on August 3, even the largest software operations like Office 365 can have a data breach.
Many applications can store data that might come under the scope of GDPR. the regulation has a considerable influence over how tenants deal with personal data. The definition of personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
GDPR goes on to define processing of personal data to be “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

That means that individuals have the right to ask companies to tell them what of their personal data a company holds, and to correct errors in their personal data, or to erase that data completely.

Companies therefore need to:
- review and know what personal data they hold,
- make sure that they obtain consents from people to store that data,
– protect the data,
- and notify authorities when data breaches occur.

On first reading, this might sound like what companies do – or at least try to do – today. The difference lies in the strength of the regulation and the weight of the penalties should anything go wrong.

GDPR deserves your attention.

The definitions used by GDPR are broad. To move from the theoretical to the real world an organization first needs to understand what personal data it currently holds for its business operations, and where they use the data within software applications.

Other examples might include contract documentation, project files that includes someone’s personal information, and so on.

What backups do you have of the customer’s data?
What business data do your staff hold on BYOD devices e.g. in What’s App?

Data Governance Helps
Fortunately, the work done inside Office 365 in the areas of data governance and compliance help tenants to satisfy the requirements of GDPR. These features include:
• Classification labels and policies to mark content that holds personal data.
• Auto-label policies to find and classify personal data as defined by GDPR. Retention processing can then remove items stamped with the GDPR label from mailboxes and sites after a defined period, perhaps after going through a manual disposition process.
• Content searches to find personal data marked as coming under the scope of GDPR.
• Alert policies to detect actions that might be violations of the GDPR such as someone downloading multiple documents over a brief period from a SharePoint site that holds confidential documentation.
• Searches of the Office 365 audit log to discover and report potential GDPR issues.
• Azure Information Protection labels to encrypt documents and spreadsheets holding personal data by applying RMS templates so that unauthorized parties cannot read the documents even if they leak outside the organization.

Technology that exists today within Office 365 that can help with GDPR.

Classification Labels
Create a classification label to mark personal data coming under the scope of GDPR and then apply that label to relevant content. When you have Office 365 E5 licenses, create an auto-label policy to stamp the label on content in Exchange, SharePoint, and OneDrive for Business found because documents and messages hold sensitive data types known to Office 365.

GDPR sensitive data types

Select from the set of sensitive data types available in Office 365.
The set is growing steadily as Microsoft adds new definitions.
At the time of writing, 82 types are available, 31 of which are obvious candidates to use in a policy because those are for sensitive data types such as country-specific identity cards or passports.
Figure 1: Selecting personal data types for an auto-label policy (image credit: Tony Redmond)

GDPR Policy

The screenshot in Figure 2 shows a set of sensitive data types selected for the policy. The policy applies a label called “GDPR personal data” to any content found in the selected locations that matches any of the 31 data types.

Auto-apply policies can cover all Exchange mailboxes and SharePoint and OneDrive for Business sites in a tenant – or a selected sub-set of these locations.

Figure 2: The full set of personal data types for a GDPR policy (image credit: Tony Redmond)

Use classification labels to mark GDPR content so that you can search for this content using the ComplianceTag keyword (for instance, ComplianceTag:”GDPR personal data”).

Caveats:
It may take 1-2 week before auto-label policies apply to all locations.
An auto-label policy will not overwrite a label that already exists on an item.

A problem is that classification labels only cover some of Office 365. Some examples of popular applications where you cannot yet use labels are:
• Teams.
• Planner.
• Yammer.

Microsoft plans to expand the Office 365 data governance framework to other locations (applications) over time.Master data management
What about all the applications running on SQL or other databases?
Master Data Management MDM is a feature of SQL since SQL 2012. However, when you have many data sources then you are relay into an ETL process and even with MDM tools the work is still significant.

If you have extensive requirements then ask us about Profisee our specialist, productized MDM solution built on top of SQL MDM that allows you to do much of the work by configuration.

Right of Erasure
Finding GDPR data is only part of the problem. Article 17 of GDPR (the “right of erasure”), says: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” In other words, someone has the right to demand that an organization should erase any of their personal data that exists within the company’s records.

Content searches can find information about someone using their name, employee number, or other identifiers as search keywords, but erasing the information is something that probably also needs manual processing to ensure that the tenant removes the right data, and only that data.

You can find and remove documents and other items that hold someone’s name or other identifier belonging to them by using tools such as Exchange’s v Search-Mailbox cmdlet, or Office 365 content searches.
What if the the data ahs to be retained because the company needs to keep items for regulatory or legal purposes, can you then go ahead and remove the items?
The purpose of placing content on-hold is to ensure that no-one, including administrators, can remove that information from Exchange or SharePoint.

The GDPR requirement to erase data on request means that administrators might have to release holds placed on Exchange, SharePoint, and OneDrive for Business locations to remove the specified data. Once you release a hold, you weaken the argument that held data is immutable. The danger exists that background processes or users can then either remove or edit previously-held data and so undermine a company’s data governance strategy.

The strict reading of GDPR is that organizations must process requests to erase personal data upon request.
What if the company needs to keep some of the data to satisfy regulations governing financial transactions, taxation, employment claims, or other interactions? This is a dilemma for IT. Lawyers will undoubtedly have to interpret requests and understand the consequences before making decisions and it is likely that judges will have to decide some test cases in different jurisdictions before full clarity exists.

Hybrid is even More Difficult

Microsoft is working to help Office 365 tenants with GDPR. However, I don’t see the same effort going to help on-premises customers. Some documentation exists to deal with certain circumstances (like how to remove messages held in Recoverable Items), but it seems that on-premises customers have to figure out a lot things for themselves.

This is understandable. Each on-premises deployment differs slightly and exists inside specific IT environments. Compared to the certainty of Office 365, developing software for on-premises deployment must accommodate the vertical and company specific requirements with integrations and bespoke developments.

On-premises software is more flexible, but it is also more complicated.
Solutions to help on-premises customers deal with GDPR are more of a challenge than Microsoft or other software vendors wants to take on especially given the industry focus of moving everything to the cloud.

Solutions like auto-label policies are unavailable for on-premises servers. Those running on-premises SharePoint and Exchange systems must find their own ways to help the businesses that they serve deal with personal data in a manner that respects GDPR. Easier said than done and needs to start sooner than later.

SharePoint Online GitHub Hub

If you work with SharePoint Online, you might be interested in the SharePoint GDPR Activity Hub. At present, work is only starting, but it is a nway to share information and code with similarly-liked people.

ISV Initiatives

There many ISV-sponsored white papers on GDPR and how their technology can help companies cope with the new regulations. There is no doubt that these white papers are valuable, if only for the introduction and commentary by experts that the papers usually feature. But before you resort to an expensive investment, ask yourself whether the functionality available in Office 365 or SQL is enough.

Technology Only Part of the Solution

GDPR will effect Office 365 because it will make any organization operating in the European Union aware of new responsibilities to protect personal data. Deploy Office 365 features to support users in their work, but do not expect Office 365 to be a silver bullet for GDPR. Technology seldom solves problems on its own. The nature of regulations like GDPR is that training and preparation are as important if not more important than technology to ensure that users recognize and properly deal with personal data in their day-to-day activities.

Synergy is a well established, solution provider across the Middle East region.
Synergy has a strong presence in several key verticals; Manufacturing, Construction, Hospitality Insurance, Financial Services, Government. Media, Oil and Gas, Distribution.
Synergy is particularly well known as a Gold Partner of both Infor Sunsystems, and Microsoft Dynamics Ax and for its implementation expertise and exceptional support. It is based centrally in Dubai in the Karama district since it was registered in 1991, and occupies a 7,000 sq ft office with around 80 full time employees.